Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎11-09-2017 11:07 AM Edited on ‎04-16-2025 05:24 AM By Moderator

Article Id 198179

Troubleshooting Tip: FortiGuard DDNS IP update fails

Description


This article describes how to fix the 'IP not-updating' problem with FortiGuard DDNS.
When the public IP of the FortiGate has changed, FortiGuard DDNS updates are required over one specific ISP interface and sometimes FortiGuard DDNS does not update the IP.

One possible way to solve this, users need to configure static routing to allow the traffic from FortiGate to the FortiGuard IP addresses through that specific internet connection. This is shown below, and also other possible causes for this.

Related document:
DDNS

 

Scope

 

FortiGate.


Solution


One common solution is to configure a static route to a known FortiGuard IP through a specific ISP Internet connection.
First of all, make sure that the FortiGate knows the new IP address. This is reflected in the Dashboard status widget, or Network - > DNS.

Make sure this is the correct public IP that the user wants to update in DDNS. If not correct, try the following commands to see if correctly updated:

 

diagnose system waninfo

diagnose system waninfo ipify


Run the following command from the CLI to find out the IP address used by FortiGate for the DDNS server:

diagnose test application ddnscd 3

FortiDDNS status:
ddns_ip=208.91.113.230 ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230     <-- FortiGuard IP used to create the static route.
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

(Article: checking DDNS settings)

 

Creating the static Route:

config router static
     edit 0
         set status enable
         set dst 208.91.113.230
         set gateway <ip_gateway>  <- ISP's IP (remote IP).
         set device <interface_name>  <- WAN interface (internet connection).
     next
  end

 

Another step is to manually set up the FortiGuard DDNS server IP address to a fixed one. This ensures the IP is not automatically changed, rendering the static route useless:

 

config system fortiguard
    set ddns-server-ip 208.91.113.230
end

 

Or (another IP that can be used):

 

    set ddns-server-ip 173.243.138.225 

 

If the problem persists, make sure that the correct configuration is done on the unit, then run the debug commands below to show potential problems with DDNS:

diagnose debug application update -1

diagnose debug application ddnscd -1

diagnose debug console timestamp enable

diagnose debug enable <----- One has to wait 5-10 minutes until the timeout expires and some relevant output is produced.

diagnose debug disable

 

The following errors may be seen:

 

Failed on update FortiGuardDDNS (your_domain.fortiddns.com), due to internal/config/connect/io err --> This usually points to a routing error.

 

A possible fix if the ISP router and a local subnet are used on the WAN interface is to change the following in the DDNS setup:

 

config system ddns

    show
        edit 1
            set use-public-ip enable     <----- Make sure this is enabled: Technical Tip: DDNS update with public IP on internal firewalls.
            set monitor-interface "port4" <- Make sure this is the WAN interface.
        next
end

 

failed to establish SSLconnection <-- This shows a problem connecting to FortiGuard servers. Check the FortiGuard settings and change them accordingly: Technical Tip: FortiGuard is not reachable via Anycast default method.

 

next wait timeout 10 seconds.

 

This is not an error, but a repeating timer-message to show the DDNS is active. But in some cases, it may be the only thing displayed (no other output even after 15 minutes).

In this case, the user may try to restart the DDNS connection:

 

execute update-now

diagnose test app ddnscd 2

diagnose test app ddnscd 4

 

-->ResponseStatus=-2
fgt_unpack_fcpr()-578: Unpacked obj: Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com
fgd_ddns_fcp_exchange()-935: Recvd FCPR=Protocol=3.4|SerialNumber=DDNS-ANY-VM-0102|ResponseStatus=-2|Command=DDNSRemove|DomainName=xyxy.fortiddns.com

 

'ResponseStatus=-2' indicates either that the domain name requested does not exist or is registered with a different device Serial Number.

 

The DDNS server list is obtained from FortiGuard, so FortiGuard settings may need to be reviewed. Sometimes disabling fortiguard-anycast and using SDNS server IP manually can be helpful.

 

config system fortiguard
    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 

end


If none of these steps allows the correct update of the IP, contact the Fortinet TAC team by creating a ticket for the issue and providing the above logs.

Updating the device with a new ISP link:
If the ISP link is getting changed with a new public-ip and the DDNS resolving to that entry also needs to be changed, reach out to the TAC team for deleting the old DDNS entry from the database.
After that, under DDNS settings via CLI, delete the copy config for the previous one and delete that entry. Once done, paste the copied configuration and only change attribute for set monitor-interface to the new WAN port.

Labels:
40684
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.